Method for validating messages

ABSTRACT

There is provided a method for secure communications. The method includes a computing device receiving a notification comprising a message, a counter value, a signature signed by a signer and based on the message and the counter value, and an indication of the signer. The device obtains a current counter value based on an identity of the signer, checks the signature and compares the counter value with the current counter value; and, if the counter comparison and the signature checking is successful, accepting the message.

FIELD OF THE DISCLOSURE

The present disclosure relates to secure communications, and inparticular to validating messages.

BACKGROUND

Cryptographic techniques (whether based on symmetric key cryptography,or asymmetric key cryptography or both) have been used in varioussystems and networks to secure both data and messages. The appropriatechoice of cryptographic primitives in a specific context may depend onvarious factors, such as for example, computational resource constraintsor threat models.

Warning messages are a particular type of message that have been used toprovide timely and accurate alerts, warnings and critical informationregarding disasters and other emergencies. Examples of warning messagesinclude the Public Warning System (PWS) messages described in thecontext of the Third Generation Partnership Project (3GPP). PWS providesa framework for Korean Public Alert System (KPAS), European WarningSystem (EU-ALERT), and Commercial Mobile Alert System (CMAS) messageswhich may fall into three classes: Presidential; Imminent Threat andChild Abduction Emergency; and Earthquake and Tsunami Warning System(ETWS) messages.

The structure, syntax and protocol for warning messages are typicallydetermined by regulatory requirements. Often warning messages areconstructed to be robust and compact, to facilitate communication ofimportant information during a bandwidth constrained situation, eitherdue to physical constraints imposed on a communications network, or dueto event-based traffic that results in higher than normal traffic overthe network.

Warning messages may include multiple components; for example, thewarning message may include a description of the event, the geographicalarea affected by the event, a recommended action, an expiration time forthe warning message; and the identity of an agency responsible for thewarning message.

There is a general interest to enhance the reliability, resiliency, andsecurity of messages, and in particular, warning messages to enable thepublic to take appropriate action to protect their families andthemselves from serious injury, or loss of life or property. Therefore,the transmission of messages over communication networks may requirethat certain security requirements be met. For example, securityrequirements for notifications may include any one or more of thefollowing: (a) the integrity of the messages is protected; (b) thecommunication network will protect against false messages; and (c) onlymessages from authorized and authenticated sources will be transmittedvia the communication network. Such security requirements may serve tominimize the reception of false messages that may reduce theeffectiveness of the messaging system, and in the case of warningmessages, false messages may reduce the effectiveness of the network asusers become less responsive. False messages may also cause confusion,hazardous conditions and/or widespread panic.

The security requirements for messages may be subject to regulatorypolicies and may also vary from region to region. An example of securityrequirements for notifications such as warning messages may be found inthe requirements for Public Warning System (PWS) messages broadcast in3GPP, as specified in the document, 3GPP TS 22.268 v11.2.0, “PublicWarning System (PWS) requirement (Release 11)”.

In addition to the security requirements, messages may also beassociated with certain latency requirements which require the messagesto be of limited size. For example, the Earthquake and Tsunami WarningSystem (ETWS) being standardized may contain a requirement that warningmessages transmitted in these systems have a latency of less than 4seconds from broadcast to receipt by an end computing device. Suchrequirements may ensure that messages are received by users in a timelyfashion. Such latency and/or other requirements may place a sizeconstraint limiting a number of bits used for the messages and/or anyassociated fields (e.g., security bits).

Furthermore, due to the heterogeneous nature of large communicationsystems, it is often difficult to ensure time synchronization betweeneach and every broadcast server sending messages, and recipientcommunication devices. Accordingly, the security and size requirementsof the messages must further accommodate the need to differentiatebetween currently broadcast and previously broadcast messages.

A malicious intermediary attempting to disrupt communications mayintercept an original broadcast and retransmit the broadcast at a laterpoint in time to execute a “replay attack”. Similarly, out of dateservers on the network may ‘innocently’ forward out of date messages. Inorder to forestall replay attacks or simple errors, it is desirable todistinguish between current and previously broadcast messages in orderto reduce false positive message receipts by users.

Communication networks should be designed to ensure that the securityand latency requirements for these messages are satisfied while ensuringminimal bandwidth overhead and minimal resource consumption both in thecore network and in the radio interface. In addition, the network designmay have to ensure that legacy communication devices on the network arealso able to process notifications, so as to avoid liability caused dueto users of such legacy devices not being aware of notifications. Thenetwork design may also have to account for mobile devices that may roamfrom one network to another.

DESCRIPTION OF DRAWINGS

Embodiments will now be described by way of example only, with referenceto the attached drawings in which:

FIG. 1 illustrates an exemplary embodiment of a communication system fortransmitting secure notifications;

FIG. 2 illustrates an exemplary network that allows for transmission ofthe warning messages from the Cell Broadcast Entity (CBE) to thecommunication device using various nodes in the core and accessnetworks;

FIG. 3 a illustrates, in flow diagrams, an exemplary method at acommunication device;

FIG. 3 b illustrates, in flow diagrams, an exemplary method at acommunication device;

FIG. 3 c illustrates, in flow diagrams, an exemplary method at acommunication device;

FIG. 4 illustrates, in a flow diagram, an exemplary method at a server;and

FIG. 5 is a block diagram illustrating a mobile communication device.

Like reference numerals and designations in the various drawingsindicate like elements.

DETAILED DESCRIPTION

In an implementation, a method is provided for of accepting anotification, the method comprising: receiving the notification, thenotification containing a message, a counter value, a signature, and anindication of a signer; processing the indication to obtain a signeridentity corresponding to the signer; obtaining, based on the signeridentity, a previously stored current counter value associated with thesigner; comparing the counter value with the current counter value; andaccepting the received notification based upon the comparison.

In an aspect of the method, the counter value comprises a certificatecounter value, and wherein the indication comprises the certificatecounter value and a certificate authority identity corresponding to thecertificate authority that generated the certificate counter value, andwherein the stored current counter value is further associated with thecertificate authority identity, and wherein the method furthercomprises: processing the indication to obtain the certificate authorityidentity; and, wherein the obtaining the current counter value comprisesobtaining, based on the signer identity and the certificate authorityidentity, the previously stored current counter value.

In an aspect of the method, the counter value comprises a messagecounter value and the current counter value comprises a current messagecounter value, and wherein the indication further comprises anindication counter value and a certificate authority identity, whereinthe obtaining further comprises obtaining, based on the signer identityand the certificate authority identity, a previously stored currentindication counter value associated with the signer identity and thecertificate authority identity; and wherein the comparing furthercomprises comparing the indication counter value with the currentindication counter value.

The aspect may further comprise the comparing confirming that themessage counter is greater than the current message counter, andconfirming that the indication counter is greater than or equal to thecurrent indication counter.

In an aspect of the method, the counter value comprises a messagecounter value.

In an aspect of the method, the processing the indication to obtain asigner identity comprises processing the indication to obtain public keyinformation associated with the signer, and wherein the obtaining, basedon the signer identity, comprises obtaining based on the public keyinformation.

In an aspect of the method, when the notification is accepted:processing the indication to obtain public key information; andverifying the signature using the public key information to authenticatethe notification.

The aspect may further comprise discarding the notification if thesignature is not verified.

In an aspect the method may further comprise discarding the notificationif the received notification is not accepted.

In an aspect of the method, the indication comprises a certificate or animplicit certificate.

In an aspect of the method, the comparing the counter value and thecurrent counter values comprises verifying that the counter value isequal to or greater than the current counter value.

In an aspect the method may further comprise, if the comparison fails,discarding the notification.

In an aspect of the method, the comparing the counter value and thecurrent counter values comprises verifying that the counter value isgreater than the current counter value.

The aspect may further comprise, if the comparison fails, discarding thenotification.

In an aspect of the method, the certificate is an ECQV implicitcertificate.

In an aspect of the method, the signature is one of a keyed MACsignature, DSA signature, and an ECDSA signature.

In an aspect of the method, when the received notification is acceptedbased upon the comparison, the method further comprising replacing thecurrent counter value with the received counter value.

In an aspect of the method, the received notification is a warningmessage.

In an aspect of the method, after the received notification is accepted,the method further comprising: communicating the message to a user.

In an aspect of the method, when the counter value fails the comparisonwith the current counter value, the method further comprises discardingthe received notification.

In an aspect the method may further comprise, if the comparison fails,communicating the message to a user, and including a flag identifyingthe comparison failure.

In an aspect the method may further comprise, if the comparison fails,communicating the message to a user, and including a flag identifyingthe comparison failure.

In an aspect the method may further comprise, communicating the messageto a user with a differential flag identifying a state of the countervalue, as determined by the comparison.

A computing device including a processor and memory operative to executethe any of the above methods.

A software program product comprising a non-transitory machine readablemedium comprising instructions that when executed on a processor of acomputing device enable the computing device to perform any of the abovemethods.

Referring to FIG. 1, a representative schematic of an exemplar broadcastmodel for broadcasting notifications, each containing a message, isillustrated. In the example of FIG. 1, a representative communicationsystem 100 composed of one or more source servers 10, each operative togenerate a message for broadcast through a communications network 15 toat least one of a plurality of recipient devices 20.

As will be appreciated, the communications network 15 may comprise acommon network, such as the public Internet, or may comprise acombination of separate networks, such as a private network between thesource servers 10 and a network server 30, a public network connectingthe network server 30 to a private mobile network of a communicationsprovider that provides connectivity to the recipient devices 20.

In some implementations, a source server 10 is operative to process themessage into a notification containing the message, and to broadcast thenotification to the recipient devices 20. In other implementations, thesource server 10 is operative to forward the message to a network server30 that is operative to process the message into the notificationcontaining the message, and to broadcast the notification over thecommunications network 15 to the plurality of recipient devices 20.

In some implementations, the communication system 100 may use asymmetrickey cryptography techniques to provide integrity and authenticationprotection for notifications transmitted to the one or morecommunication devices 20. In the implementation of FIG. 1, thecommunication system 100 includes at least one certificate authorityserver (CA) 40, to issue certificates that can be authenticated toconfirm an identity of the notification sender.

The CA 40, the communication devices 20, the source servers 10, and thenetwork servers 30 can communicate with each other and with othercomponents of the communication system 100 over the network 15. In theexample shown in FIG. 1, the message signer (whether a source server 10or a network server 35) can send a certificate request to the CA 40, andthe CA 40 can respond by sending a certificate. The server 10 or 30 cansend a signature of the message and certificate to the communicationdevices 20, and the communication device 20 can verify the signatureusing the certificate issued by the CA 40. The communication system 100can support additional or different types of communication. In someimplementations, the communication devices 20 and the servers 10, 30 mayalso exchange encrypted messages and other types of information witheach other, and with the CA 40. For example, a CA 40 may generate keypairs for the message signers 10, 30, and may send the private key tothe servers 10 or 30 using an encrypted channel.

The CA 40 is a computing system that can perform operations of a CA in acryptography system. The CA 40 is generally operable to receive,transmit, process, and store information associated with thecryptography system. Although FIG. 1 shows a single CA 40, a CA can beimplemented using multiple CAs 40, including server clusters, as well asadditional or different types of computing devices other than servers.

The communication system 100 can include additional, fewer, or differentcomponents. For example, the communication system 100 may includeadditional storage devices, additional servers (including additionalcertificate authority servers), additional communication devices, andother features not shown in the figure.

In the embodiment of FIG. 1, the CA 40 may issue certificates that bindan identity of a message ‘owner’, for instance the message signer thatsigned a warning message using a private key, to a corresponding publickey. A communication device 20 can utilize public key information of theCA 40 to verify this binding of the identity and the public key, priorto verifying the signature of the warning message. Necessary publicinformation for processing the certificate (e.g., the CA's public key)may be provisioned to the communication devices 20 (and any serversoptionally) either on manufacturing or in communication with a fixedroot address. As only the CA 40 is aware of the CA's private key, thecertificates may be distributed using an open channel as opposed toother solutions that may require a secure channel for the distributionof the public key.

In an implementation, a recipient of a signed message may obtainadditional confirmation that the message is a valid message, bycomparing one or more counters included as part of the message with acorresponding one or more current counters stored by the recipient.

As shown in FIG. 1, in an implementation the original message may beprocessed into a notification comprising a message, message countervalue, signature , and indication of the message signer (e.g. acertificate, or an implicit certificate, which may constitute thesecurity information of the message) for transmission to thecommunication device 20. In some implementations, the singletransmission comprises at least a portion of the original message. Insome implementations, the single transmission also comprises theentirety of the original message.

The recipient communication device 20 relies upon validating thesignature to confirm that the message is a valid message originallygenerated by a source server 10 associated with the indication of themessage signer, and relies upon the message counter value to confirmthat this is an up to date warning message, and not out of date as wouldbe the case in a replay attack.

In another implementation also illustrated in FIG. 1, the indication mayfurther include its own indication counter value that is associated withthat indication. Accordingly, the recipient relies upon validating thesignature to confirm that the message is a valid message originallygenerated by a source server 10 associated with the indication of themessage signer, and relies upon the indication counter value to confirmthat this is an up to date indication, and not out of date as would bethe case in a replay attack.

In an implementation, both the message counter and the indicationcounter are present, and the computing device may evaluate both themessage counter value and the indication counter value to confirm thatthis is a valid up to date warning message that includes a valid up todate indication.

In the 3GPP context for warning messages, this single transmission maybe implemented as Cell Broadcast Service (CBS) data. Section 9.3 of 3GPPTS 23.401 v11.0.0: “General Packet Radio Service (GPRS) enhancements forEvolved Universal Terrestrial Radio Access Network (E-UTRAN) access”,for example, notes that the CBS message consists of at least some ofseveral parameters including the warning message and the securityinformation.

FIG. 2 shows an exemplary Public Warning System (PWS) architecture(presented in 3GPP TR 33.869) that allows for such a single transmissionof a notification to a communication device 202. The architecture ofFIG. 2 is included by way of example only, and other networkarchitectures utilizing one or more of various radio networktechnologies may be used instead.

PWS is an umbrella for several emergency warning systems, such asweather, earthquake, etc. Due to the broad distribution of warningmessages, it is desirable to ensure the integrity and security of thewarning messages to avoid misuse of the system. The security requirementis primarily on account of the air interface between the communicationdevices and the access network where the warning messages are broadcastto the devices. The Cell Broadcast Centre (CBC) server is part of thecore network and connects to the appropriate network node. For GSM RadioAccess Network (GERAN), the CBC server connects with the Base StationController (BSC) in the access network; for Universal Terrestrial RadioAccess Network (UTRAN), the CBC server connects with the Radio NetworkController (RNC) in the access network; and for Evolved Universal/UMTSTerrestrial Radio Access Network (E-UTRAN), the CBC server connects withthe Mobile Management Entity (MME) in the core network. The CellBroadcast Entity (CBE) server 206 is external to the access and corenetworks and may be responsible for all aspects of formatting the CellBroadcast Service (CBS), which is transmitted to the communicationdevice 202 using the CBC server and associated network nodes. Thetransmission of the warning messages to the communication device 202 areachieved using the Base Transceiver Station (BTS), Node B or theevolved-Node B in GERAN, UTRAN and E-UTRAN respectively.

In some scenarios, the warning messages may be broadcast to allcommunication devices (even those that may be in idle mode) within ageographical region, with no requirement of an acknowledgement from thecommunication devices.

The PWS may specify a specific latency requirement for warning messages,in order to ensure timely delivery of the messages to all communicationdevices. These latency requirements may entail that the warning messagesand/or associated data fields (e.g., security information including thesignature and the certificate) be subject to size constraints. Requiredsecurity levels may place a requirement on the size of the public keysbeing used and thus, the associated certificates and the generatedsignatures. In general then, warning messages are typically subject tostringent size constraints, in order to ensure they are actuallyreceived in a timely fashion in order to alert recipients of an event.

One proposal for improving the security of warning messages is toinclude an implicit certificate based approach. Under this approach, amessage signer periodically obtains an implicit certificate from acertificate authority (CA), and includes the implicit certificate aspart of the security message portion of a message such as a warningmessage. The implicit certificate, combined with the CA's public key,results in the message signer's public key. A recipient is able toverify the signature using the message signer's public key.

Since messages and implicit certificates are typically time limited, thesecurity system relies upon the communication devices 20 being able toalso confirm the validity of the message, or implicit certificate, basedupon a timestamp or other measure. A particular problem faced by warningmessage systems, is that using timestamps to date either the certificateor the message is undesirable as it requires synchronization between theCA 40, the message signer, and the recipient communication device 20. Ifthe synchronization fails, otherwise valid warning messages would berejected by the recipient communication device 20.

Including some form of time limitation is desirable to prevent replayattacks. A replay attack occurs when a third party intercepts a validtransmission, and either repeats or delays transmission of the validmessage to the recipients. In the context of a PWS, a replay could alsobe caused inadvertently by a malfunctioning server repeatedlybroadcasting an expired message.

Under both scenarios, the receipt and acceptance of expired messages byrecipient devices can risk the integrity of the PWS. Users may beinitially confused, and incorrectly take corrective action for an eventthat is not occurring, or may ignore future messages if they lose faithin the authenticity and timeliness of messages that they receive. Asnoted above, use of a timestamp with an implicit certificate approach isa valid method for avoiding replay attacks. A particular problem facedin the context of PWS, however, is ensuring synchronization across allof the devices in the system.

In an implementation, a notification includes a message counter is usedto provide additional information to allow a recipient to confirm thatthe message is up to date. In addition to the message counter, thenotification includes sufficient information for a recipientcommunication device to classify and authenticate the message counterbased upon at least an identity of the message signer. As may beappreciated, due to the size constraints placed on warning messages, itis desirable to minimize the amount of security information includedwith the message, and still allow the recipient communication device toclassify and authenticate the message counter. In an aspect thenotification includes identifying information within an indicationportion of the notification. In an aspect, the identifying informationmay cormprise public key reconstruction data, as illustrated in FIG. 1.

In an implementation, an indication counter is used to provideadditional information to allow a recipient to confirm that theindication (e.g. a certificate or an implicit certificate) is up todate. In addition to the indication counter, the message includessufficient information for a recipient communication device to classifyand authenticate the indication counter based upon at least both anidentity of the message signer and an identity of the CA that was usedto provide a certificate for that message. As may be appreciated, due tothe size constraints placed on warning messages, it is desirable tominimize the amount of security information included with the message,and still allow the recipient communication device to classify andauthenticate the indication counter.

Referring again to FIG. 1, the servers such as the source servers 10,network servers 30, and the CA 40, generally include a data processingapparatus, a data storage medium, and a communication interface. Thememory can include, for example, a random access memory (RAM), a storagedevice (e.g., a writable read-only memory (ROM)), a hard disk, oranother type of storage medium.

The exemplary CA 40 of FIG. 1 can be preprogrammed or it can beprogrammed (and reprogrammed) by loading a program from another source(e.g., from a CD-ROM, from another computer device through a datanetwork, or in another manner). The I/O controller can be coupled toinput/output devices (e.g., a monitor, a keyboard) and to the network15. The input/output devices receive and transmit data in analog ordigital form over communication links such as a serial link, wirelesslink (e.g., infrared, radio frequency), parallel link, or another typeof link. The memory can store instructions (e.g., computer code)associated with computer applications, programs and computer programmodules, and other resources. The memory can also store application dataand data objects that can be interpreted by applications, programs,modules, or virtual machines running on the CA 40. The memory can storeadditional information, for example, files and instruction associatedwith an operating system, device drivers, archival data, or other typesof information. The processor can execute instructions to generateoutput data based on data inputs. For example, the processor can runapplications and programs by executing or interpreting software,scripts, functions, executables, and other types of computer programmodules. The input data received by the processor and the output datagenerated by the processor can be stored in a computer-readable medium,such as the memory or a storage device.

The network 15 can include any collection of terminals, links and nodeswhich connect to enable communication between users of terminals. Forexample, the network 15 can include a wireless or wired network, acellular network, a telecommunications network, an enterprise network,an application-specific public network, a Local Area Network (LAN), aWide Area Network (WAN), a private network, a public network (such asthe Internet), a WiFi network, a network that includes a satellite link,or another type of communication network. The network 15 can include atiered structure defined by firewalls or similar features that implementvarious levels of security. The network 15 may comprise of various nodessuch as servers, gateways, or routers.

Communication devices 20 are computing devices that can communicate overthe communication network 15 based on communication schemes specified bythe cryptography system. The communication devices 20 are generallyoperable to receive, transmit, process, and store information. Thecommunication devices 20 typically include a data processing apparatus,a data storage medium, and a communication interface.

In some implementations the signer can be one of the source servers 10,for instance an agency distributing the message. In otherimplementations the signer can be a centralized entity that collectsmessages from a number of source servers 10, such as network server 30.In the example where the notification is a warning message, the sourceservers 10 may each correspond to an organization responsible foridentifying a warning condition such as a weather event, earthquake,fire, etc., and the network server 30 can be a central broadcast entitythat receives messages from a plurality of different organizations, andprocesses their messages to generate the notification that may bebroadcast to the communication devices 20.

In an implementation, a message generated by a message source, such assource server 10, is processed to produce a notification that may bebroadcast out to the communication devices 20. In order to ensure theintegrity and authenticity of the message, the processing includes amessage signer allocating a message counter value for the message,signing the message and message counter value, and generating anindication of the message signer. The indication may comprise, forinstance a certificate or implicit certificate. The message, signature,message counter value, and indication may be packaged into thenotification for broadcast to the communication devices 20. In theimplementation, the message counter value may replace a messagetimestamp that might normally be present.

In an implementation the signature is generated using the messagesigner's private key, the message, and the message counter value. Insome implementations, the signature may further be generated using theindication, such as an implicit certificate corresponding to the messagesigner's private key. In this fashion, the signature may be said to bebased on the message and the message counter value, and in someimplementations further based upon the indication.

In an implementation, the message counter value allocated by the messagesigner is further associated with an identity of a CA 40 thatcorresponds to the indication. Accordingly, when allocating the messagecounter value for a message, the message signer would allocate a valuenext in sequence based upon the preceding message counter value used fora previous message sent by that message signer and secured by anindication from the same CA 40. In this fashion, the message signerwould maintain a separate counter sequence for each CA 40 that it mightuse when signing messages.

After signing the message and the message counter value, the messagesigner may then broadcast, either directly or through an intermediary,the notification that includes the message, the message counter valuecorresponding to the signer, the signature signed by the signer andbased on the message and the message counter value, and the indicationof the signer, such as a certificate or implicit certificate, over thenetwork to the communication devices 20.

The signer public key corresponding to the signer private key used bythe signer is identified by the indication of the signer, and may beused by a recipient, such as one of the communication devices 20, toidentify the signer and verify the signature. Typically, the CA 40 maybe used by the communication devices 20 in the verification process. Forinstance, the communication device 20 may obtain a certificate authoritypublic key to process the indication to obtain the signer's public key.Typically, the indication may comprise a certificate or implicitcertificate issued by the CA 40 for that signer.

Before accepting the verified notification, the recipient can obtainadditional information regarding the message by confirming that this isa valid up to date message sent by the signer. The recipient obtainsthis additional confirmation by comparing the message counter value witha current counter value maintained by the recipient and associated withthe message signer. The identity of the message signer may be obtainedbased upon the indication of the signer. In these implementations, therecipient stores a current counter value and associates the storedcurrent counter value with the identity of the signer.

In some implementations, as explained above, the message counter valueallocated by the message signer may further correspond with the CA 40that provided the indication. Typically, the message counter value willfurther correspond to the certificate issued by the CA 40, so that whena new certificate is issued, a new counter sequence will be initiated.

In these implementations, a message current counter value is stored andassociated with both the identity of the signer and the CA 40.Accordingly, the communication device 20 may maintain a plurality ofcurrent message counter values stored in association with each signer,each of the plurality of current message counter values associated withthat signer corresponding to the issuing CA 40, and/or certificateassociated with that signed message. The communication device 20 mayprocess the indication, for example a certificate or implicitcertificate, to obtain an identity of the signer and an identity of theCA 40. The communication device 20 may then obtain the current messagecounter value based on both the signer identity and the certificateauthority identity (or specific certificate as the case may be).

The current message counter value may be, for example, retained in amemory of the communication device 20, or may be available to thecommunication device 20 over the network 15. Typically the currentmessage counter value is a message counter value of an earliernotification that was previously stored by the communication device 20.

In some implementations, the comparison may proceed by determiningwhether the message counter value is greater than the current messagecounter value, and if the message counter value is greater than thecurrent message counter value, then the communication device 20 acceptsthe received notification as it has some confirmation that this is a newnotification, and not a previously broadcast notification. Thecomparison may require that the message counter is greater than thestored current message counter where it is desirable to confirm thatthis is a new message not previously received by the communicationdevice 20.

In some implementations, the comparison may proceed by determiningwhether the message counter value is greater than or equal to thecurrent message counter value, and if the message counter value isgreater than or equal to the current message counter value, then thecommunication device 20 accepts the received notification as it has someconfirmation that this is a current notification, and not an out of datepreviously broadcast notification. The comparison may require that themessage counter is greater than or equal to the stored current messagecounter where it is desirable to confirm, for instance, that thismessage relates to a current message being broadcast. In animplementation, this comparison may be used, for instance, where it isdesirable to send and have a series of messages received by thecommunication device 20 as part of the communication strategy. When acondition changes, the next message may institute a new message countervalue, such that the messages relating to the previous condition are nolonger accepted by the communication device 20.

In implementations where the indication is a certificate or implicitcertificate, the identity of the signer and the identity of the CA 40may be obtained by processing the certificate or implicit certificate,as known for standard certificate verification procedures.

The public key used to verify the signature of the warning messages maybe distributed to the communication devices 20 so as to maintain trust,i.e., the communication devices 20 must be assured that the public keyis associated with the identity of the message signer (the owner of theprivate key used to generate the signature of the warning messages).This trust may allow for improved protection against false warningmessages, for example, from unauthorized sources.

As indicated above, in an implementation an indication counter value maybe used. The indication counter value being directly associated with theindication, such as the certificate or implicit certificatecorresponding to the message signature. Implementation of the indicationcounter value is similar to that of the message counter value describedabove, except that the indication counter value is always associatedwith both the message signer identity and the indication identity (i.e.the identity of the CA 40). The indication counter value is preferablylocated within the indication, and for instance may replace acertificate timestamp that may normally be included.

It is noted that for the indication counter value, it is preferred tolimit the comparison to determining whether the indication counter valueis greater than or equal to the stored current indication counter value.This is preferred as it is common practice to re-use the certificatesfor a period of time, and it would be preferred to only change theindication counter value when the certificate or implicit certificate isupdated.

In an implementation where both a message counter value and anindication counter value are included in the message, the recipientcommunications device 20 may adopt different procedures to confirm theauthenticity of received messages. For instance, for the first messagereceived, the communication device 20 may confirm that both the messagecounter value and the indication counter value are up to date. Forsubsequent messages the communication device 20 may choose to onlyconfirm the message counter value, for instance, provided that it isable to verify that the public key derived from the indication is thesame as a previous public key. In this fashion, the communication device20 may skip confirming the indication counter when it is determined thatthe implicit certificate is a current implicit certificate and unchangedfrom the previously received implicit certificate.

FIGS. 3 a to 3 c provide illustration of exemplary steps to be taken bya communication device 20 when confirming a message using a messagecounter value. Similar steps may be taken for confirming the messageusing the indication counter value, or a combination of the messagecounter value and the indication counter value. Essentially, eachdecision step evaluates either the message counter value, the indicationcounter value, or both the message counter value and the indicationcounter value.

FIG. 3 a shows an exemplary method that can be performed by acommunication device 20, in accordance with an aspect of the disclosure.The communication device 20 receives a notification, such as a warningmessage, comprising a message, message counter, signature and anindication of the message signer such as a certificate or implicitcertificate at 310.

The communication device 20 verifies the signature, at 320, using apublic key associated with the indication of the message signer. Thecommunication device 20 may employ a variety of known certificateauthentication schemes to generate a public key from securityinformation derived from the indication of the message signer includedwith the warning message. For instance, the communication device 20 mayobtain the message signer's public key, by contacting the CA 40 andidentifying the message signer using the indication of the messagesigner to obtain the corresponding message signer's public key.Alternatively, the communication device 20 may retain a certificateauthority public key in persistent memory associated with the CA 40. Inthis implementation, the communication device 20 may regenerate thepublic key of the message signer from the certificate authority publickey and the certificate authority public key reconstruction valueincluded with the implicit certificate of the indication.

In an implementation, the indication of the message signer may comprisean implicit certificate of the message signer. The communication device20 may reconstruct the public key of the message signer using theimplicit certificate. The public key of the message signer signaling anidentity of the message signer.

If the signature verification fails, the communication device 20 mayexecute a failed signature verification function, at 340, which mayinclude notifying the CA 40, notifying the source server 10 or networkserver 30, and/or displaying a message to a user of the device 20indicating the failed signature verification.

If the signature verification succeeds, the communication device 20locates a stored current message counter value for the message signer,at 330, using at least an identity of the message signer. In an aspect,the communication device 20 may maintain a message counter store thatstores at least a current message counter for each message signer. Thecurrent message counter being the message counter associated with themost recent communication received from that message signer. Forinstance, where the indication of the message signer comprises animplicit certificate, the communication device 20 may reconstruct thepublic key of the message signer using the implicit certificate, and usethe reconstructed public key to identify the message signer and locatethe current message counter for that message signer.

Depending upon the protocol, test messages, maintenance messages andwarning messages may each be provided with an incremental counter valuefor each message signer. Alternatively, only some of the messages, suchas only test messages and warning messages, may include the incrementalmessage counter value. The store of counters includes a reference orpointer to associate each message counter with its corresponding messagesigner. As messages are received and verified, the message counter storemay be updated so the current message counter value in the storereflects the most recent message received and verified by thecommunication device 20. In some implementations, a maintenance messagemay be used to increment some or all of the stored current messagecounters associated with a message signer.

Depending upon the form of the indication of the message signer, and thestructure of the message counter store, locating the current messagecounter for the message signer may be a direct comparison of theindication of the message signer to the reference. Alternatively, thecommunication device 20 may need to process the indication of themessage signer in order to identify the corresponding reference. Forinstance, the indication may comprise an implicit certificate, and thecommunication device 20 may need to process the implicit certificate toidentify the message signer and corresponding reference.

After locating the current message counter value for the message signer,the communication device 20 compares the message counter value from thewarning message with the stored current message counter value associatedwith the signer to determine whether the message is valid.

In some implementations, the comparison comprises determining whetherthe received message counter value is greater than the stored currentmessage counter value. If the message counter value is not greater thanthe current message counter value, then the communication device 20 hasalready processed the warning message, and accordingly executes acounter fail function at 360. In some implementations, the comparisoncomprises determining whether the received message counter value isgreater than or equal to the stored current message counter value. Ifthe counter value is not greater than or equal to the current countervalue, then the warning message is not considered to be authenticated,and accordingly the communication device 20 executes the counter failfunction at 360.

The counter fail function, at 360, may provide for different actionsdepending upon the circumstances. In an implementation, the counter failfunction communication device 20 may simply discard the warning message.In another implementation, the counter fail function 360 may keep butflag messages where the counter value is equal to the current countervalue, to alert the user of a possibility of a repeated message.

In a further implementation, the counter fail function 360 may keep butdifferentially flag messages that identifies a state of the countervalue in order to distinguish between cases where the counter value isone of: less than the current counter value, equal to the currentcounter value, and greater than the current counter value. In thefurther implementation the user is empowered to accept or ignore themessages based upon the differential flags, but messages are stilldisplayed to the user for review.

If the comparison of the counter value with the current counter value issuccessful, the communication device 20 may proceed to communicate themessage to the user, such as through a display message function, at 370.The display message function communicates the message to the user, forinstance by sounding a tone, replaying a recording, displaying text orimages on a screen, or some other output for communicating informationto a user of the communication device 20. The display message functionmay further update the message counter store to update the storedcurrent message counter value with the message counter value from themessage.

When a counter has run through all available bits, the signer may assignitself a new ‘identity’ with a counter value of 0, for instance byrequesting a new implicit certificate from the CA 40.

When the communication device 20 receives a message for which there isno corresponding signer or CA 40 identified in its current counterstore, the communication device 20 may initiate a new stored currentcounter value for that signer. In an implementation, the default storedcurrent counter value for new signers may be “0”. In this case, thecomparison of the first message would always be accepted, and thecurrent counter store would be updated to the counter value in thatfirst message.

In an implementation, in specific locations where there is expected tobe a large number of new arrivals, for instance an airport, regularmaintenance messages may be broadcast locally to update communicationdevices 20 with the current counter value before they leave thelocation. The implementation provides some surety that a large number ofcommunication devices 20 physically entering a network at a locallocation, and that are out of date, will be updated before they roam tothe network at large.

FIG. 3 b shows an alternate method for execution by the communicationdevice 20 in which the device first locates the current message counterfor the message signer, at 330, and compares the message counter with acurrent message counter value, for instance to check to confirm whetherthe message counter is greater than the current counter, at 350, beforeverifying the signature, at 320. As will be appreciated, while both themessage counter check and the signature check must occur to complete thecommunicate message function at 370, it is possible for thecommunication device 20 to perform the message counter check and thesignature check in either order.

FIG. 3 c shows an exemplary method that can be performed by acommunication device 20. The device 20 processes an indication from areceived notification to obtain a signer identity at step 380. Thepublic key and a stored current message counter value are obtained basedupon the signer identity at step 385. The signature is verified usingthe indication, and the message counter is compared with the currentcounter value at step 390. The notification is accepted based upon thesuccessful verification and comparison at step 395.

While the above methods are described with reference to the messagecounter in particular, it is understood that the same procedure may beapplied to embodiments that employ an indication counter, as well asembodiments that employ a message counter and an indication counter. Inthese embodiments the methods described above may be adapted byemploying the indication counter, or a combination of a message counterand an indication counter, in place of the message counter describedabove.

FIG. 4 shows an exemplary method that can be performed by a server,source server 10 or network server 30, to generate a notification inaccordance with an aspect of the disclosure. The server 10, 30 obtains amessage and a message counter at step 410. The message may, forinstance, comprise a warning initiated by a warning service.

As discussed above, in an implementation a source server 10 may beoperative to generate the message, and sign the message and messagecounter to create the signed message.

As further discussed above, in an alternate implementation the sourceserver 10 may provide a message to a network server 30. In theimplementation the network server 35 obtains at least the message fromthe source server 10, and may either receive a counter value from thesource server 10, or the network server 30 may generate the countervalue.

The server 10, 30, as message signer, signs the message and messagecounter using a private key, at 420. The server 10, 30 generates anotification comprised of the signed message and message counter, thesignature, and an indication of the message signer at 430. Theindication of the message signer comprising information sufficient for arecipient to obtain or generate a public key of the message signercorresponding to the private key of the message signer. In animplementation, the indication of the message signer comprises animplicit certificate of the message signer. In an implementation, theindication of the message signer comprises a certificate of the messagesigner.

The server 10, 30 then broadcasts the notification, at 440, to thecommunication devices 20. As will be appreciated, while the method isdescribed in terms of a single server performing all steps of themethod, some or all of the steps may be distributed across multiplecomputing devices depending upon specific system requirements.

In accordance with the above described methods, a system for generatingand distributing notifications such as warning messages is provided thatdoes not require the synchronization of counters or time stamps betweena central server and remote communication devices. In executing theabove methods, the communication devices 20 each maintain in a storetheir own current message counter value associated with a message signerbased upon messages received from the message signer, and/or their owncurrent indication counter value associated with an indication of themessage signer such as a certificate or implicit certificate. If acommunication device 20 is out of contact with the message server, forinstance by being disconnected from the network 15 while roaming orbeing turned off, the current counter value(s) associated with themessage signer retained in the store may lag the counters beingdistributed by the server 10, 30. Upon receiving a next message, thecommunication device 20 will update the current counter value(s)retained in the store.

Unlike prior art methods, the present approach provides a flexiblesystem that allows for some security against replay attacks that isintended to be sufficient to prevent mass panic since a majority ofcommunication devices 20 will reject a replay attack.

Furthermore, implementation of the method allows for automatic filteringof repeated messages. In many warning broadcasts, a same message will berepeated multiple times to ensure delivery of the warning message.According to the above methods, once a communication device 20 hasreceived a notification such as a warning message, subsequent repeatedmessages will be identified as repeated messages. In an implementation,the message counter fail function 360 may further comprise communicatingthe warning message to the user, along with a flag to identify themessage as a repeated message. In an implementation, every warningmessage communicated to the user may further comprise identification ofeither the message counter value or a representation of the messagecounter value. Accordingly, when communicating a repeated warningmessage to the user, the communications device 20 may communicate boththe current message counter value, or representation, and the messagecounter value, or representation, of the repeated message to the user.In this manner, the user is provided with additional information todetermine whether the message is simply a delayed warning message, andthe warning is still actionable, or if the message is a replay attackand should be discarded.

In cases where an indication counter is utilised, the communicationdevice 20 may distinguish between repeated messages employing the sameindication and having the same indication counter value as the currentindication counter value, and old or invalid messages that includeindication counter values smaller than the current indication countervalue.

In an implementation where the communication device 20 maintains a storeof received warning messages, the message counter fail function 560 mayfurther comprise associating the counter value of the repeated messagewith a previously received counter value and associated previouslyreceived message. The computing device 20 may then communicate therepeated warning message and at least a portion of the previouslyreceived message to the user. In an aspect, the communication device 20may re-format the messages to communicate the meta data for the messagesas a comparator, along with the message itself, to the user. The metadata may include, for instance, a message date/time stamp, eithercontained in the message itself, or having been previously created bythe communication device 20 when the previously received message wasstored. In this manner, the user is provided with additional informationto determine whether the message is simply a delayed warning message,and the warning is still actionable, or if the message is a replayattack and should be discarded.

In an implementation, the message counter fail function 360 may furthercomprise reformatting the repeated warning message to include both acurrent (local) time, and potentially a current time zone, as well as amessage time, and potentially a time zone, of the repeated warningmessage from the signed message meta data. In this manner, bycommunicating both the current time and the message time to the userwhen a message counter is repeated, the user is provided with additionalinformation to determine whether the message is simply a delayed warningmessage, and the warning is still actionable, or if the message is areplay attack and should be discarded.

In an implementation, the server 10, 30 may change the public key inorder to identify a ‘new’ message signer to re-fresh a message countervalue or an indication counter value. Accordingly, the server 10, 30 mayperiodically change its private and public keys, forcing a re-set of themessage counter value and/or the indication counter value along with anew message signer identity. Depending upon a periodicity of the privateand public key change, the server 10, 30 may further secure warningmessages from replay attack as all prior messages and counter valueswill effectively be discarded since each counter is associated with amessage signer.

Communication device 20 can each include memory, a data processor, aninput/output controller, user interface(s) (for example, a monitor, atouchscreen, mouse, or keyboard), and are operative to interface withthe network 15. The memory of the communication device 20 can storemessages and information associated with the cryptography system. Forexample, a communication device 20 may store the public and private keydata, digital certificate data, and other types of information. Thememory of the communication device 20 can store instructions (e.g.,computer code) associated with computer applications, programs andcomputer program modules, and other resources. Communication devices 20can include handheld devices such as smart phones, personal digitalassistants (PDAs), portable media players, laptops, notebooks, tablets,and others. They may also include work stations, mainframes,non-portable computing systems, devices installed in structures,vehicles, and other types of installations.

FIG. 5 is a block diagram illustrating a mobile device, which can act asa communication device 20 and can co-operate with the apparatus andmethods described above, and which is an exemplary wirelesscommunication device 20. Mobile device 900 is preferably a two-waywireless communication device having voice and/or data communicationcapabilities. Mobile device 900 preferably has the capability tocommunicate with other computer systems on the Internet. Depending onthe exact functionality provided, the wireless device may be referred toas a data messaging device, a two-way pager, a wireless e-mail device, acellular telephone with data messaging capabilities, a wireless Internetappliance, or a data communication device, as examples.

Where mobile device 900 is enabled for two-way communication, it willincorporate a communication subsystem 911, including both a receiver 912and a transmitter 914, as well as associated components such as one ormore, preferably embedded or internal, antenna elements 916 and 918,local oscillators (LOs) 913, and processing means such as a processingmodule such as a digital signal processor (DSP) 20. As will be apparentto those skilled in the field of communications, the particular designof the communication subsystem 911 will be dependent upon thecommunication network in which the device is intended to operate. Forexample, mobile device 900 may include a communication subsystem 911designed to operate within the Mobitex™ mobile communication system, theDataTAC™ mobile communication system, GPRS network, UMTS network, EDGEnetwork or LTE network.

Network access requirements will also vary depending upon the type ofnetwork 902. For example, in the Mobitex and DataTAC networks, mobiledevice 900 is registered on the network using a unique identificationnumber associated with each mobile device. In LTE, UMTS and GPRSnetworks, however, network access is associated with a subscriber oruser of mobile device 900. A GPRS mobile device therefore requires asubscriber identity module (SIM) card in order to operate on a GPRSnetwork. Without a valid SIM card, a GPRS mobile device will not befully functional. Local or non-network communication functions, as wellas legally required functions (if any) such as “911” emergency calling,may be available, but mobile device 900 will be unable to carry out anyother functions involving communications over the network 902. The SIMinterface 944 is normally similar to a card-slot into which a SIM cardcan be inserted and ejected like a diskette or PCMCIA card. The SIM cardcan have approximately 64 K of memory and hold many key configuration951, and other information 953 such as identification, and subscriberrelated information.

When required network registration or activation procedures have beencompleted, mobile device 900 may send and receive communication signalsover the network 902. Signals received by antenna 916 throughcommunication network 902 are input to receiver 912, which may performsuch common receiver functions as signal amplification, frequency downconversion, filtering, channel selection and the like, and in theexample system shown in FIG. 8, analog to digital (A/D) conversion. A/Dconversion of a received signal allows more complex communicationfunctions such as demodulation and decoding to be performed in the DSP920. In a similar manner, signals to be transmitted are processed,including modulation and encoding for example, by DSP 920 and input totransmitter 914 for digital to analog conversion, frequency upconversion, filtering, amplification and transmission over thecommunication network 902 via antenna 918. DSP 920 not only processescommunication signals, but also provides for receiver and transmittercontrol. For example, the gains applied to communication signals inreceiver 912 and transmitter 914 may be adaptively controlled throughautomatic gain control algorithms implemented in DSP 920. In the 3GPPenvironment, the single transmission may be broadcast to thecommunication devices within a certain geographical area (also known asNotification Area) using the Cell Broadcast Channel (CBCH).

The mobile device may include a cryptographic module 957 that isoperable to perform the various operations described above. Thecryptographic module may perform one or more of the various steps forverification of the signature of the warning message. The cryptographicmodule may allow for representation of the elliptic curve points indifferent formats and may perform various conversion operations forconverting among the different formats and other routines for checkingthe validity of each format. For example, an ECC scheme may specify abit string format, an elliptic curve point format, an octet stringformat, an integer format, a field element format, and others.Correspondingly, other entities of the system of FIG. 3 such as CA 40and the message signer servers (10 or 35) may also include cryptographicmodules configured to perform various cryptographic operations such asdescribed above.

Mobile device 900 preferably includes processing means such as amicroprocessor 938 which controls the overall operation of the device.Communication functions, including at least data and voicecommunications, are performed through communication subsystem 911.Microprocessor 938 also interacts with further device subsystems such asthe display 922, flash memory 924, random access memory (RAM) 926,auxiliary input/output (I/O) subsystems 928, serial port 935, keyboard932, speaker 934, microphone 936, a short-range communications subsystem940 and any other device subsystems generally designated as 942.

Some of the subsystems shown in FIG. 7 perform communication-relatedfunctions, whereas other subsystems may provide “resident” or on-devicefunctions. Notably, some subsystems, such as keyboard 932 and display922, for example, may be used for both communication-related functions,such as entering a text message for transmission over a communicationnetwork, and device-resident functions such as a calculator or tasklist.

Operating system software used by the microprocessor 938 is preferablystored in a persistent store such as flash memory 924, which may insteadbe a read-only memory (ROM) or similar storage element (not shown).Those skilled in the art will appreciate that the operating system,specific device applications, or parts thereof, may be temporarilyloaded into a volatile memory such as RAM 926. Received communicationsignals may also be stored in RAM 926.

As shown, flash memory 924 can be segregated into different areas forboth computer programs 958 and program data storage 950, 952, 954 and956. These different storage types indicate that each program canallocate a portion of flash memory 924 for their own data storagerequirements. Microprocessor 938, in addition to its operating systemfunctions, preferably enables execution of software applications on themobile device. A predetermined set of applications that control basicoperations, including at least data and voice communication applicationsfor example, will normally be installed on mobile device 900 duringmanufacturing. A preferred software application may be a personalinformation manager (PIM) application having the ability to organize andmanage data items relating to the user of the mobile device such as, butnot limited to, e-mail, calendar events, voice mails, appointments, andtask items. Naturally, one or more memory stores would be available onthe mobile device to facilitate storage of PIM data items. Such PIMapplication would preferably have the ability to send and receive dataitems, via the wireless network 902. In a preferred embodiment, the PIMdata items are seamlessly integrated, synchronized and updated, via thewireless network 902, with the mobile device user's corresponding dataitems stored or associated with a host computer system. Furtherapplications may also be loaded onto the mobile device 900 through thenetwork 902, an auxiliary I/O subsystem 928, serial port 935,short-range communications subsystem 940 or any other suitable subsystem942, and installed by a user in the RAM 926 or preferably a non-volatilestore (not shown) for execution by the microprocessor 938. Suchflexibility in application installation increases the functionality ofthe device and may provide enhanced on-device functions,communication-related functions, or both. For example, securecommunication applications may enable electronic commerce functions andother such financial transactions to be performed using the mobiledevice 900.

In a data communication mode, a received signal such as a text messageor web page download will be processed by the communication subsystem911 and input to the microprocessor 938, which preferably furtherprocesses the received signal for output to the display 922, oralternatively to an auxiliary I/O device 928. A user of mobile device900 may also compose data items such as email messages for example,using the keyboard 932, which is preferably a complete alphanumerickeyboard or telephone-type keypad, in conjunction with the display 922and possibly an auxiliary I/O device 928. Such composed items may thenbe transmitted over a communication network through the communicationsubsystem 911.

For voice communications, overall operation of mobile device 900 issimilar, except that received signals would preferably be output to aspeaker 934 and signals for transmission would be generated by amicrophone 936. Alternative voice or audio I/O subsystems, such as avoice message recording subsystem, may also be implemented on mobiledevice 900. Although voice or audio signal output is preferablyaccomplished primarily through the speaker 934, display 922 may also beused to provide an indication of the identity of a calling party, theduration of a voice call, or other voice call related information forexample. The display 922 may also be used to provide the warningmessages to the user of the mobile device. As noted before, in someimplementations, the warning message may be displayed only if theverification of the signature of the warning message is successful. Inother implementations, at least a portion of the warning message isdisplayed even if the verification of the signature is unsuccessful orincomplete. The warning message may be displayed upon reception withoutany user interaction.

Serial port 930 would normally be implemented in a mobile device forwhich synchronization with a user's desktop computer (not shown) may bedesirable, but is an optional device component. Such a port 930 wouldenable a user to set preferences through an external device or softwareapplication and would extend the capabilities of mobile device 900 byproviding for information or software downloads to mobile device 900other than through a wireless communication network. The alternatedownload path may for example be used to load the CA's public keythrough a direct and thus reliable and trusted connection to therebyenable secure device communication.

Other communications subsystems 940, such as a short-rangecommunications subsystem, is a further optional component which mayprovide for communication between mobile device 900 and differentsystems or devices that are similarly enabled, which need notnecessarily be similar devices. For example, the subsystem 940 mayinclude an infrared device and associated circuits and components or aBluetooth™ communication module.

Furthermore it will be noted that the apparatus described herein maycomprise a single component such as a mobile device or other userequipment or access network components, a combination of multiple suchcomponents for example in communication with one another or asub-network or full network of such components.

Some of the specific implementations may have been described herein inrelation to 3GPP specifications. However the method and apparatusdescribed are not intended to be limited to the specifications or theversions thereof referred to herein but may be applicable to futureversions or other specifications.

Subject matter and operations described in this specification can beimplemented in digital electronic circuitry, or in computer software,firmware, or hardware, including the structures disclosed in thisspecification and their structural equivalents, or in combinations ofone or more of them. Some of the subject matter described in thisspecification can be implemented as one or more computer programs, i.e.,one or more modules of computer program instructions, encoded onnon-transitory computer storage medium for execution by, or to controlthe operation of, data processing apparatus. Alternatively or inaddition, the program instructions can be encoded for transmission tosuitable receiver apparatus for execution by a data processingapparatus. A computer storage medium can be, or be included in, acomputer-readable storage device, a computer-readable storage substrate,a random or serial access memory array or device, or a combination ofone or more of them. Moreover, while a computer storage medium is not apropagated signal, a computer storage medium can be a source ordestination of computer program instructions encoded in an artificiallygenerated propagated signal. The computer storage medium can also be, orbe included in, one or more separate physical components or media (e.g.,multiple cards, disks, or other storage devices).

The operations described in this specification can be implemented asoperations performed by a data processing apparatus on data stored onone or more computer-readable storage devices or received from othersources. The term “data processing apparatus” encompasses all kinds ofapparatus, devices, and machines for processing data, including by wayof example a programmable processor, a computer, a system on a chip, ormultiple ones, or combinations, of the foregoing. The apparatus caninclude special purpose logic circuitry, e.g., an FPGA (fieldprogrammable gate array) or an ASIC (application-specific integratedcircuit). The apparatus can also include, in addition to hardware, codethat creates an execution environment for the computer program inquestion, e.g., code that constitutes processor firmware, a protocolstack, a database management system, an operating system, across-platform runtime environment, a virtual machine, or a combinationof one or more of them. The apparatus and execution environment canrealize various different computing model infrastructures, such as webservices, distributed computing and grid computing infrastructures.

A computer program (also known as a program, software, softwareapplication, script, or code) can be written in any form of programminglanguage, including compiled or interpreted languages, declarative orprocedural languages, and it can be deployed in any form, including as astand-alone program or as a module, component, subroutine, object, orother unit suitable for use in a computing environment. A computerprogram may, but need not, correspond to a file in a file system. Aprogram can be stored in a portion of a file that holds other programsor data (e.g., one or more scripts stored in a markup languagedocument), in a single file dedicated to the program in question, or inmultiple coordinated files (e.g., files that store one or more modules,sub-programs, or portions of code). A computer program can be deployedto be executed on one computing device or on multiple computers that arelocated at one site or distributed across multiple sites andinterconnected by a communication network.

The processes and logic flows described in this specification can beperformed by one or more programmable processors executing one or morecomputer programs to perform actions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application-specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computing device.Generally, a processor will receive instructions and data from aread-only memory or a random access memory or both. The essentialelements of a computing device are a processor for performing actions inaccordance with instructions and one or more memory devices for storinginstructions and data. Generally, a computing device will also include,or be operatively coupled to receive data from or transfer data to, orboth, one or more storage devices for storing data. However, a computingdevice need not have such devices. Moreover, a computer can be embeddedin another device, e.g., a mobile telephone, a personal digitalassistant (PDA), a mobile audio or video player, a game console, aGlobal Positioning System (GPS) receiver, or a portable storage device(e.g., a universal serial bus (USB) flash drive), to name just a few.Devices suitable for storing computer program instructions and datainclude all forms of non-volatile memory, media and memory devices,including by way of example semiconductor memory devices, e.g., EPROM,EEPROM, and flash memory devices; magnetic disks, e.g., internal harddisks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROMdisks. The processor and the memory can be supplemented by, orincorporated in, special purpose logic circuitry.

To provide for interaction with a user, subject matter described in thisspecification can be implemented on a computer having a display device,e.g., an LCD (liquid crystal display) screen for displaying informationto the user and a keyboard and a pointing device, e.g., touch screen,stylus, mouse, by which the user can provide input to the computer.Other kinds of devices can be used to provide for interaction with auser as well; for example, feedback provided to the user can be any formof sensory feedback, e.g., visual feedback, auditory feedback, ortactile feedback; and input from the user can be received in any form,including acoustic, speech, or tactile input. In addition, a computingdevice can interact with a user by sending documents to and receivingdocuments from a device that is used by the user; for example, bysending web pages to a web browser on a user's client device in responseto requests received from the web browser.

Some of the subject matter described in this specification can beimplemented in a computing system that includes a back-end component,e.g., as a data server, or that includes a middleware component, e.g.,an application server, or that includes a front-end component, e.g., aclient computing device having a graphical user interface or a Webbrowser through which a user can interact with an implementation of thesubject matter described in this specification, or any combination ofone or more such back-end, middleware, or front-end components. Thecomponents of the system can be interconnected by any form or medium ofdigital data communication, e.g., a data network.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a data network. The relationship of client and server arises byvirtue of computer programs running on the respective computers andhaving a client-server relationship to each other. In someimplementations, a server transmits data to a client device. Datagenerated at the client device can be received from the client device atthe server.

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor patent disclosure, as it appears in the Patent and Trademark Officepatent file or records, but otherwise reserves all copyright rightswhatsoever.

While this specification contains many specific implementation details,these should not be construed as limitations on the scope of what may beclaimed, but rather as descriptions of features specific to particularimplementations. It will, however, be evident that various modificationsand changes may be made thereto without departing from the scope of thetechnique. The specification and drawings are, accordingly, to beregarded in an illustrative rather than a restrictive sense. Certainfeatures that are described in this specification in the context ofseparate implementations can also be implemented in combination in asingle implementation. Conversely, various features that are describedin the context of a single implementation can also be implemented inmultiple implementations separately or in any suitable subcombination.Moreover, although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asubcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the implementations described above should not beunderstood as requiring such separation in all implementations, and itshould be understood that the described program components and systemscan generally be integrated together in a single software product orpackaged into multiple software products.

Thus, particular implementations of the subject matter have beendescribed. Other implementations are within the scope of the followingclaims. In some cases, the actions recited in the claims can beperformed in a different order and still achieve desirable results. Inaddition, the processes depicted in the accompanying figures do notnecessarily require the particular order shown, or sequential order, toachieve desirable results. In certain implementations, multitasking andparallel processing may be advantageous.

What is claimed is:
 1. A method of accepting a notification, the methodcomprising: receiving the notification, the notification containing amessage, a counter value, a signature, and an indication of a signer;processing the indication to obtain a signer identity corresponding tothe signer; obtaining, based on the signer identity, a previously storedcurrent counter value associated with the signer; comparing the countervalue with the current counter value; and accepting the receivednotification based upon the comparison.
 2. The method of claim 1 whereinthe counter value comprises a certificate counter value, and wherein theindication comprises the certificate counter value and a certificateauthority identity corresponding to the certificate authority thatgenerated the certificate counter value, and wherein the stored currentcounter value is further associated with the certificate authorityidentity, and wherein the method further comprises: processing theindication to obtain the certificate authority identity; and, whereinthe obtaining the current counter value comprises obtaining, based onthe signer identity and the certificate authority identity, thepreviously stored current counter value.
 3. The method of claim 1wherein the counter value comprises a message counter value and thecurrent counter value comprises a current message counter value, andwherein the indication further comprises an indication counter value anda certificate authority identity, wherein the obtaining furthercomprises obtaining, based on the signer identity and the certificateauthority identity, a previously stored current indication counter valueassociated with the signer identity and the certificate authorityidentity; and wherein the comparing further comprises comparing theindication counter value with the current indication counter value. 4.The method of claim 3, wherein the comparing comprises confirming thatthe message counter is greater than the current message counter, andconfirming that the indication counter is greater than or equal to thecurrent indication counter.
 5. The method of claim 1 wherein the countervalue comprises a message counter value.
 6. The method of claim 1wherein the processing the indication to obtain a signer identitycomprises processing the indication to obtain public key informationassociated with the signer, and wherein the obtaining, based on thesigner identity, comprises obtaining based on the public keyinformation.
 7. The method of claim 1 further comprising, when thenotification is accepted: processing the indication to obtain public keyinformation; and verifying the signature using the public keyinformation to authenticate the notification.
 8. The method of claim 6further comprising discarding the notification if the signature is notverified.
 9. The method of claim 1 further comprising discarding thenotification if the received notification is not accepted.
 10. Themethod of claim 1 wherein the indication comprises a certificate or animplicit certificate.
 11. The method of claim 1, wherein the comparingthe counter value and the current counter values comprises verifyingthat the counter value is equal to or greater than the current countervalue.
 12. The method of claim 11 further comprising if the comparisonfails, discarding the notification.
 13. The method of claim 1, whereinthe comparing the counter value and the current counter values comprisesverifying that the counter value is greater than the current countervalue.
 14. The method of claim 13 further comprising if the comparisonfails, discarding the notification.
 15. The method of claim 1, whereinthe certificate is an ECQV implicit certificate.
 16. The method of claim1, wherein the signature is one of a keyed MAC signature, DSA signature,and an ECDSA signature.
 17. The method of claim 1, wherein when thereceived notification is accepted based upon the comparison, the methodfurther comprising replacing the current counter value with the receivedcounter value.
 18. The method of claim 1, wherein the receivednotification is a warning message.
 19. The method of claim 1, whereinafter the received notification is accepted, the method furthercomprising: communicating the message to a user.
 20. The method of claim1, wherein when the counter value fails the comparison with the currentcounter value, the method further comprises discarding the receivednotification.
 21. The method of claim 1, further comprising if thecomparison fails, communicating the message to a user, and including aflag identifying the comparison failure.
 22. The method of claim 1,further comprising communicating the message to a user with adifferential flag identifying a state of the counter value as determinedby the comparison.
 23. A computing device including a processor andmemory operative to execute the method of claim
 1. 24. A softwareprogram product comprising a non-transitory machine readable mediumcomprising instructions that when executed on a processor of a computingdevice enable the computing device to perform the method of claim 1.